Security Scanner built-in tool

Official Content
This documentation is valid for:
Note: This tool replaces the GeneXus Security Scanner extension available in the GeneXus Marketplace. You need to be familiar with the OWASP security issues to use it.

The Security Scanner tool scans/checks objects within a Knowledge Base looking for potential security issues according to OWASP's Top 10 Security Risks.

You can open the Security Scanner Configuration Window by selecting the following options from the GeneXus IDE toolbar: Tools > Security > Security Scanner

SecurityScanner-opentool1

or apply it to a particular object or a subset of them using the "Security Scanner" Contextual Menu:

SecurityScanner-opentool2

The Environment rules will be applied only when a full scan is triggered. When a partial scan is executed (using the Contextual Menu) the Environment rules will not be applied.

Scan configuration

The tool will scan the following types of objects:

  • Environment (rules #136 and #137)
  • Generator (rule #106)
  • Web Panels
  • Transactions
  • Procedures
  • Attributes
  • Domains

The tool will not scan the following types of objects:

  • Referenced module objects
  • Unit test objects

Output

When the scan is performed using the IDE the result will be shown on a new Output Section called Security Scanner.

SecurityScanner-output

Rules configuration

For every rule, you can configure its level of severity or disable it in the Configuration Window.

SecurityScanner-severity1

Parameter encryption #100

Security Scanner analyzes objects to check if their parameters are encrypted; that is, if their Encrypt URL parameters property is set to "Session key" or "Site key."
If a <Parameter encryption> issue is found, Security Scanner will show the following message:

error 100: Parameters encryption is not set

HTML format #101

Security Scanner analyzes attributes, variables, and textblocks checking if their Format property for Web has been set to "HTML" or "Raw HTML."
If an <HTML format> issue is found, Security Scanner will show a message like this:

error 101: HTML Textblock detected in WebForm (Name 'htmltxtblock' Type 'HTML'. Name 'rawhtmltxtblock' Type 'Raw HTML'. )

Authorization #102

Security Scanner analyzes Web Panels and Transactions in the KB checking if they call an Authorization program (procedure). This rule does not apply to Master Pages and Web Components.
If an <Authorization> issue is found, Security Scanner will show a message like this:

error 102: No access control configured for this object

When using Xev2, the Integrated Security Level property is checked (GeneXus Access Manager usage).

SQL Command #103

Security Scanner analyzes KB objects looking for SQL commands.
If a <SQL Command> issue is found, Security Scanner will show a message like this:

error 103: SQL Command usage found in source

i.e.: SQL UPDATE UserInfo SET UserWelcomeMessage='[!&UserWelcomeMessage!]' WHERE UserId=[!&UserId!]

Link Command #104

Security Scanner analyzes KB objects to check if there is a dynamic command link without parameters.
If a <Link command> issue is found, Security Scanner will show a message like this:

error 104: Parameterless LINK command usage found in source

i.e.: Link(&SomeWebPanel)

Http Protocol #105

Security Scanner analyzes Web Panels and Procedures checking if HTTPS protocol has been specified. This means checking if the Protocol specification property has been set to “Secure (HTTPS).

In the case of a SOAP Procedure, it will inherit the protocol specification from the environment so it will trigger the rule when an insecure protocol specification is configured on the environment. This apply since GeneXus 17 upgrade 4.
If an <Http protocol> issue is found, Security Scanner will show a message like this:

error 105: HTTP protocol is not Secure

Javascript Debug Mode #106 

Security Scanner analyzes the Javascript debug mode property at generator level; when enabled, the following message will be displayed:

error 106: Javascript Debug Mode is enabled

Web Components URL Access #107

Security Scanner analyzes KB objects set as Web Components checking if URL Access for them has been enabled. This means checking if the URL Access property has been set to “Yes.
If a <WC URL Access> issue is found, Security Scanner will show a message like this:

error 107: Web Component with URL Access enabled 

C#, Java, Ruby native code usage #108

Security Scanner analyzes KB objects' source section checking for the Java or C-Sharp command.
The following message is displayed:

error 108: Native Code usage found in source

HttpResponse data type usage #109

Security Scanner analyzes KB objects' variables section checking for HttpResponse data type usage.
The following message is displayed:

error 109: HttpResponse Data Type usage in variables (Name 'HttpResponse' Type 'HttpResponse'. )

LDAPClient GetAttribute method usage #110

Security Scanner analyzes KB objects' source section checking for LDAPClient Data Type GetAttribute method usage.
The following message is displayed:

error 110: LDAPClient.GetAttribute() pattern detected in source 

Directory data type usage #111

Security Scanner analyzes KB objects' variables section checking for Directory data type usage.
The following message is displayed:

error 111: Directory Data Type usage in variables (Name 'Directory' Type 'Directory'. )

File data type usage #112

Security Scanner analyzes KB objects' variables section checking for File data type usage.
The following message is displayed:

error 112: File Data Type usage in variables (Name 'File' Type 'File'. )

XMLReader ValidationType property usage #113

Security Scanner analyzes KB objects' source section checking for XMLReader Data Type ValidationType property usage.
The following message is displayed:

error 113: XmlReader Validation type property misconfiguration 

Shell function #114

Security Scanner analyzes KB objects' source section checking for Shell Function usage.
The following message is displayed:

error 114: Shell function usage found in source

Random function #115

Security Scanner analyzes KB objects' source section checking for Random function usage.
The following message is displayed:

error 115: Random function usage found in source

SetCookie function #116

Security Scanner analyzes KB objects' source section checking for SetCookie function usage.
The following message is displayed:

error 116: SetCookie function usage found in source 

Whenever possible, use the Cookie data type and enable the HttpOnly property.

Form.HeaderRawHTML property #117

Security Scanner analyzes the source section of WebPanels and Transactions checking for Form.HeaderRawHTML property usage.
The following message is displayed:

error 117: HeaderRawHTML method usage found in source

Form.JScriptSrc property #118

Security Scanner analyzes the source section of WebPanels and Transactions checking for Form.JScriptSrc property usage.
The following message is displayed:

error 118: JScriptSrc method usage found in source

IsPassword property #119

Security Scanner analyzes the source section of WebPanels and Transactions checking for IsPassword property usage.
The following message is displayed:

error 119: IsPassword Property enabled in WebForm

External Object usage #120

Security Scanner analyzes KB objects' source section checking for External object usage.
The following message is displayed:

error 120: External Object usage in variablesName 'CustomType' Type 'CustomType'. 

For Xev2; GAM and GXflow External Objects are excluded.

User Control usage #121

Security Scanner analyzes the WebForm section of WebPanels and Transactions for User Controls usage.
The following message is displayed:

error 121: UserControl detected in WebForm Name 'CustomControl' Type 'CustomControl'.

Cookie data type usage #124

Security Scanner analyzes KB objects' variables section checking for Cookie data type usage.
The following message is displayed:

error 124: Cookie Data Type usage in variables (Name 'Cookie' Type 'cookie'. )

Whenever possible, enable the HttpOnly property.

XmlWriter WriteRawText method usage #125

Security Scanner analyzes KB objects' source section checking for the XMLWriter WriteRawText Method usage.
The following message is displayed:

error 125: XmlWriter.WriteRawText() pattern detected in source 

SDT.FromXml() pattern usage (#126)

Security Scanner analyzes KB objects' source section checking for the FromXml Method usage.
The following message is displayed:

error 126: SDT.FromXml() pattern detected in source

SDT.FromJson() pattern usage (#127)

Security Scanner analyzes KB objects' source section checking for the FromJson Method usage.
The following message is displayed:

error 127: SDT.FromJson() pattern detected in source

XMLReader ReadRawXML method usage (#128)

Security Scanner analyzes KB objects' source section checking for the XMLReader Data Type's ReadRawXML Method usage.
The following message is displayed:

error 128: XmlReader.ReadRawXML() pattern detected in source 

Blob usage (#129)

Security Scanner analyzes KB objects' variables section checking for Blob data type usage.
The following message is displayed:

error 129: Blob usage detected in object (Variable: blob) 

JSEvent usage (#130)

Security Scanner analyzes KB objects' source section checking for the JSEvent Method usage.
The following message is displayed:

error 130: JSEvent usage found in source 

SoapHeaderRaw (#131)

Security Scanner analyzes KB objects' source section checking for the SoapHeaderRaw nonstandard function usage.
The following message is displayed:

error 131: soapHeaderRaw usage found in source

PathToURL usage (#132)

Security Scanner analyzes KB objects' source section checking for the PathToURL function usage.
The following message is displayed:

error 132: PathtoUrl usage found in source

XMLReader ReadExternalEntities (#133)

Security Scanner analyzes KB objects' source section checking for the XMLReader Data Type ReadExternalEntities Property usage.
The following message is displayed:

error 133: XmlReader ReadExternalEntities pattern detected in source

SDT.FromXmlFile() pattern usage (#134)

Security Scanner analyzes KB objects' source section checking for the FromXmlFile method usage.
The following message is displayed:

error 134: SDT.FromXmlFile() pattern detected in source

SDT.FromJsonFile() pattern usage (#135)

Security Scanner analyzes KB objects' source section checking for the FromJsonFile method usage.
The following message is displayed:

error 135: SDT.FromJsonFile() pattern detected in source

Parameter encryption (Environment) #136

Security Scanner analyzes the KB Environment to check if its parameters are encrypted; that is, if its Encrypt URL parameters property is set to "Session key" or "Site key."
If a <Parameter encryption> issue is found, Security Scanner will show the following message:

error #136: Parameters encryption is not set (Environment)

Http Protocol #137

Security Scanner analyzes the KB Environment checking if HTTPS protocol has been specified. This means checking if the Protocol specification property has been set to “Secure (HTTPS).
If an <Http protocol> issue is found, Security Scanner will show a message like this:

error #137: Http protocol is not Secure

Advanced configuration

Security objects Whitelist

SecurityScanner-whitelist1

Using this field, you can select objects and rules to be whitelisted on the analysis.

SecurityScanner-whitelist2

SecurityScanner-whitelist3

Authorization Procedure

SecurityScanner-whitelist1

If you are not using GAM, this field allows you to insert a Procedure or Master Page that contains the authorization logic. The scan will signal with an error the objects that do not contain the call for the authentication Procedure or use the Master Page selected.

SecurityScanner-authorizationProc1

If you put some other type of object (not Master Page and not Procedure) the scan will ignore this configuration.

Running Security Scanner using MsBuild task

Define a new Task called Scan that allows you to run the scanner in an MSBuild script. This task can be included in any server-side pipeline of CI/CD.

This task will execute the configuration previously set through the Security Scanner Configuration Window.

<Project DefaultTargets="SecurityScan" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

    <Import Project="$(GXInstall)\genexus.tasks.targets"/>
    <Import Project="$(GXInstall)\security.tasks.targets"/>

    <Target Name="SecurityScan">
        <OpenKnowledgeBase Directory="$(KBDir)"    />
        <SecurityScan XmlOutputFile="securityTest.xml"/>
    </Target>
</Project>

By specifying the XmlOutputFile you get Errors and Warnings in XML format.

Running the Scanner from the command line

msbuild securityscantest.msbuild /verbosity:minimal /t:SecurityScan /p:KBDir=c:\mykbpath /p:GXInstall=c:\genexusinstalldir

Availability

This tool is available since GeneXus 17 upgrade 3.